Vulnerability Description
Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lfprojects | Valkey-Bloom | < 1.0.1 |
Related Weaknesses (CWE)
References
- https://github.com/valkey-io/valkey-bloom/commit/a68614b6e3845777d383b3a513cedccPatch
- https://github.com/valkey-io/valkey-bloom/security/advisories/GHSA-mc2g-h759-3qwVendor Advisory
FAQ
What is CVE-2026-21864?
CVE-2026-21864 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a sp...
How severe is CVE-2026-21864?
CVE-2026-21864 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-21864?
Check the references section above for vendor advisories and patch information. Affected products include: Lfprojects Valkey-Bloom.